Last.fm users are the latest internet community to get the “change your password” message as the music streaming site investigates a “leak of some user passwords”.
However, unlike LinkedIn or eHarmony, Last.fm has jumped on the suspicion that something’s wrong, rather than waiting for user passwords to appear on the Internet. In …

ohhhh :-)

A question . . .

. . . . passwords hashed and salted are only a protection against people with access to the database, if they have access to that what else did they get and do?? Of course this assumes no crazy access such as SELECT * FROM <tablename> injection (sqlMap) showing on screen? Obviously goes for the other recent hacks (LinkedIn, . . .) has any of these people disclosed how access to the database was gained? Guess not.

Error: logic consistency failure

"Last.fm takes your privacy very seriously,"

Isn't the whole point of Last.fm to publish every last little song you listen to, for others to marvel at? In what way is that "privacy"? Isn't the very use of Last.fm discarding an element of your privacy?

It seems the one word that best sums up the whole Web2.0 is:

ME

"Look at ME. Here MY music list. This is where *I* am. This is what *I* am thinking. Here are MY friends. These are the movies *I* am watching. Let ME tell you more about MY favorite subject - ME!"

And then people are surprised when the various web sites dedicated to letting them broadcast their every little movement aren't very careful with their privacy.

Re: Error: logic consistency failure

Yes, and very interesting; I looked at my last.fm account for the first time in what is probably years - I use last.fm ripper and my Onkyo amp rather than pissing about with their interface - and saw that my email address was still the free hotpop.com address, which died along with the free part of hotpop.com a few years ago.

I don't broadcast my activities and interests on these sites. Clearly I am there for only one thing, and the software that I use says it all. I don't put personal addresses in these sites; I enter bogus data. Similarly when I obtain free music from bandcamp I use meltmail or similar for a short duration, where required, so they can email me the URL and force spam on me, they think.

As a general rule, I don't enter identifying optional personal data; where data are required, I enter bogus identifying data. For me social networking sites are useless unless they have something tangible that I want, music, searching out old contacts, information on IT security, and so on.

Whether my policy has paid off or not I do not know, but I have observed in the past couple of years a tendency for establishments/institutions, ranging from employers through to government departments, to snoop on people, with some employers insisting on seeing an employee's or prospective employee's Facebook pages. I don't have any because I don't have a Facebook account. Sometimes I open one when I am looking for an old contact, I use a false name and other critical data, I use a password generator for long passwords that include digits, symbols, and upper/lower case. I leave out the optional data. I close the account when I'm finished. The last time I did so there was a nuke option that was publicised during one of the many Facebook bad security revelations.

Then there is the complex vs simple password argument that has reared its ugly head, and I see that some are veering toward memorable and long. Perhaps I am a cynic... ...speaking of security, it has come to a pretty pass when the director of one of the British intelligence and security services can be caught out on his Facebook pages, allowing the world to see his private data. The man should be fired.